Re: [fw-wiz] How should an Internet connection/firewall be designed?

On Wed, Jan 17, 2007 at 08:11:30PM -0800, Kaas, David D wrote:

We have always had a firewall on our Internet connection. We went from
home grown, to fwtk (Thanks Marcus) and then a commercial system with
snort IDS outside, on the DMZ and inside the firewall. We have always
had very tight access controls. Few ports open to our DMZ, even fewer
to our internal network that require one-time-passwords and restricted
access to the Internet that must be approved by security. Now we have
been told to upgrade/modify our Internet connection with new firewalls,
IPS and deep packet inspection devices.. I would appreciate information
on what are considered common practices.

How many companies have two serial firewalls from different vendors?

I don't think it is really often needed to have two "strictly serial"
firewalls to inspect similar traffic, but having say, Netscreen on the border
and Cyberguard protecting LAN seems reasonable.

How many companies have an IPS/deep-packet-inspection device between the
firewall and the border router?

How many companies still use IDS?

Well, IPS/deep-packet-inpsection device is just a buzzword for an IDS with
somehow unpredictive behavior ;-)

How many companies have some form of deep packet inspection device in
front of their DMZ web servers? What do they use?

As most of them rely on signature analysis, i see little to no use to them.
Host-based protection systems do better.

It seems like the added complexity and multiple devices will increase
management costs and may actually decrease security and reliability.
Our current design may be rather simple but in over 12 years we have had
less than a couple of hours of down time and have not had a detected
breakin to our internal network.

I would appreciate any comments.

Thank you,

Dave Kaas
firewall-wizards mailing list
firewall-wizards mailing list

Relevant Pages

  • Re: What is DMZ?
    ... DMZ is in computer security terms a network ... nor the internal network, but somewhere in between. ... using two firewalls you add another layer of security. ... between the internal network and the compromised host. ...
  • RE: IDS is dead, etc
    ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
  • Re: [security-elvandar] Re: Rather funny; looks like page defacement to me
    ... However, my opinion is that IDS sensors is needed at current time, since there ... Also i think that seperated IDS Sensors and Firewalls are better performing than ... management people who decide what hardware to buy for their network security. ... > is scheduled to speak on "Intrusion Detection is Dead, ...
  • Re: How to choose an IDS/FW MSS provider
    ... secure with distinct firewalls and intrusion detection systems. ... Responsibility for network audit should remain with the IDS. ... A manager makes a purchase ... invoice arrives at accounts; the accounts clerk correlates it with the ...
  • RE: Firewalls (was Re: IDS evaluations procedures)
    ... >> An IDS is not an attack prevention mechanism. ... >> called firewalls, and firewalls include both packet filters ... > anomalously or signature-identified traffic in mitigation. ...